Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There is a legal advantage that passwords have that passkeys and FIDO and so on do not have. In civilized countries, no one can force you to hand over a password (as you have a right to not incriminate yourself). That does not hold for property which can be confiscated or even biometric attributes which can be taken against your will legally.

Theoretically, passkeys could still offer this advantage if they are stored exclusively on my phone which is encrypted and secured with a password.



Passkeys are an authentication mechanism, and as such replace (authentication) passwords, not (encryption) passphrases.

A password (at least as I understand the term) is used to authenticate to some third-party entity to get access to your data or services. The (implied or legal) contract here is: "Only give access to my data to anybody that can provide my password."

Government authorities can in most cases just go to the service and demand that access legally; there is no need to get your password through whatever means.

A passphrase, on the other hand, can be used to encrypt your data directly, and the service provider might not be able to hand over your data to the authorities without it.


Great! Where I can type those passhphrase in google mail or o365 or million other serivces to secure my data ?

Oh? Nowhere? Then why you're even talking about the distinction ?

Also passphrase definition is definitely not "a password used for encryption", I dunno where you pulled that from. Original meaning is just "longer, more secure password"


> Then why you're even talking about the distinction ?

GP was talking about the legal implications of using a hardware authenticator vs. a password.

> Original meaning is just "longer, more secure password"

And where do you usually need a longer, more secure password? Encryption (as opposed to authentication, where you can often rate-limit attempts) immediately comes to mind.

> I dunno where you pulled that from.

From https://en.wikipedia.org/wiki/Passphrase:

[...] , especially those that derive an encryption key from a passphrase [...]


This is incorrect because you’re conflating access by request and access with a court order. Without a warrant, or even probable cause, police can get some meta data, but not everything in the cloud. In many places police can force you to use biometrics to unlock devices, but not compel a passphrase. (Passphrases are significantly harder for e.g. Greykey to glitch brute force than PINs.)


What's "access by request"?

> Passphrases are significantly harder for e.g. Greykey to glitch brute force than PINs.

PINs are their own thing, i.e. neither passwords nor passphrases. They form a hierarchy:

Passphrases: High (enough) entropy; can be stretched into an encryption key using a PBKDF.

Passwords: Medium entropy; long enough to be somewhat brute-force resistant in case of a database breach. Can't really be used to encrypt data by themselves.

PINs: Very low entropy, must be part of a larger, trusted system that can reliably enforce limits on invalid PIN attempts. Practically, this means tamper-resistant hardware, e.g. a HSM, TPM, smartcard, Yubikey...


The police just ask the company for the data.

https://en.wikipedia.org/wiki/Third-party_doctrine

---

You're introducing key stretching for unknown reasons. It's irrelevant for attacks on e.g. iPhones -- they're not cracking encryption, they're doing dictionary attacks.


> In civilized countries, no one can force you to hand over a password (as you have a right to not incriminate yourself).

Which countries?

In the US, the intersection between 5th amendment rights and password disclosure is not complete. You can be forced to disclose a password in certain circumstances here.


This was not my understanding so I looked it up and found this: https://www.reuters.com/business/legal/us-supreme-court-nixe...

Wherein it mentions passwords are considered testimonial and therefore protected by the 5th, but device passcodes were ruled to be exempted under the “forgone conclusion” exception to the 5th (TIL about that).

Is this kind of thing you are referring to?


Exactly.


As I said, civilized countries. Unfortunately, lots of countries do not adhere to their own constitution anymore, which I believe is mostly caused by a lack of technology understanding. I would guess that the judges that force Alice to hand over the passphrase for her phone encryption wouldn't force the CEO of a company to hand over the key to the safe that contains incriminating info.


In Canada it has been upheld that you cannot be compelled to divulge your passwords as it violates the Charter of Rights and Freedoms.


And if you don't comply?

With biometric data like FaceId or fingerprint it's easier for them to get access.


I think in Florida v. Voigt someone was sentenced to 6 months for not handing their iPhone password in an extortion case. If I recall, the phone was ultimately hacked to get the evidence.


Pretty much only the US explicits this right. I know France tacks on more charges to protesters who refuse to unlock their phones when arrested.


Has that been tested with the ECJ yet?


As opposed to where you store your passwords? I can only speak for me, but they're in 1Password; if the police get my phone, the same thing protects 1Password as would protect these passkey private keys: FaceID, maybe a PIN if a lockout can be triggered before they get it, and at its core, the Secure Enclave. There's no legal advantage to passwords, unless you were actually memorizing every password you've got (and if that's the case, son we got bigger fish to fry).

A ton of people in our bubble have this Mission Impossible-esque view of their security footprint, which simply isn't true in reality. Its XKCD 538 every time this comes up.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: